5.5 Configuring Command Control

Command Control uses rules to protect and control user commands. When configuring a rule, you need to set rule conditions to determine which rule or rules are processed, depending, for example, on the command submitted or the user who submitted it. You also need to define what processing to do if the rule conditions are matched.

The components you can define and configure for a rule are as follows:

Access times to define specific times during which access is denied or granted. For configuration information, see Section 5.10, Access Times.

NOTE:To enable access to the Command Control console for a Framework user and to control the level of access available, you must add the user to a group with the appropriate roles defined. See Section 4.2.4, Configuring Roles for details.

The following additional features are provided to assist you with Command Control configuration and management:

5.5.1 Defining Audit Settings

Submit details such as the submitting username, hostname, and primary group.

Target details such as the run username and the run hostname.

Command details, which include the original command requested and the actual command run.

Authorization status, either yes or no.

Session capture status, either yes or no.

Audit ID, which is the unique ID used to group audit events for the user’s session.

Codeset, which is the character encoding used for localization.

Terminal details such as tty name, terminal dimensions, and type.

The Audit Settings option allows you to modify this default record and add the following:

Encryption of sensitive password data in keystroke capture reports along with a password that allows authorized Framework administrators to decrypt it.

Additional options that can be audited for each record.

To define audit settings:

Click Command Control on the home page of the console.

Click Audit Settings in the task pane.

Configure the Password keystorke settings:

Select the Password filter check box.

In the Password filter text box, specify the text that is used to prompt users for their passwords.

For example, if your systems request a user’s password by using the word Password, specify Password in this field. If your systems use password, enter password in this field. If your systems use either, enter assword in this field. This ensures that the password the user enters in response to this prompt is encrypted in reports.

Select the Encryption password check box.

In the Encryption password text box, specify the password to be used to decrypt the sensitive password data in the report.

This password must be entered on the Command Control Keystroke Report page to decrypt the password data.

Specify the password again in the Confirm password text box.

(Optional) Select from the following check boxes to add more information to the audit record:

Command:
Complete information about the command being run, including the actual filename and arguments.

Host:
Information about the submitting host

Environment:
Complete list of the environment variables passed to the executed command.

Local time:
The time on the machine that submitted the request.

Cwd:
Details about the current working directory where the command was executed.

Options:
Details about the various process control options for executing the command.

Run Account:
Information about the account that is used to execute the command.

Process:
Details about the process that submitted the request.

Jobs:
The job control setting that were passed to the executed command.

Passwd:
Details of the /etc/passwd entry for the user submitting the request.

Groups:
The group membership details for the executed command.

Logon:
The login time and source for the user submitting the request.

Click Finish.

5.5.2 Backing Up and Restoring

The backup option allows you to create snapshots of the command control database and restore these snapshots at future date. You can back up and restore from the Framework Manager console, but you need to use the command line to remove a backed-up snapshot. For information about the command line options, see Section 10.2.2, Backing Up and Restoring a Command Control Configuration.

Click Command Control on the home page of the console.

Click Backup and Restore.

To back up the database, specify a reason for the backup, then click Backup.

To restore a previous version of the database, select the version, then click Restore.

The current version is overwritten by the selected version.

Click Close.

The following information is recorded for each backed-up version:

Date:
The date and time the backup was performed.

Administrator:
The user that performed the backup.

Reason:
The reason for performing the backup. This is optional information, but recommended.

5.5.3 Finding a Reference

The Find References option allows you to find where a specific account group, user group, host group, command, script, or access time is referenced in the database. For example, you could use this option to find out which account group or groups a specific user group belongs to.

Click Command Control on the home page of the console.

Select the entity for which you want to find references.

Click Find References in the task pane. The groups or rules in which the entity is referenced are displayed.

To go to one of the listed groups or rules, double-click it, or to return to the navigation pane, click Close.

5.5.4 Defining Custom Attributes

Custom attributes can be defined for account groups, user groups, host groups, commands, and access times to provide additional parameters for use in scripts. For example, you could set an expiration date as a custom attribute for a user group, check for this date in your script, then expire the user group when the date is reached.

To define custom attributes:

Click Command Control on the home page of the console.

Select the entity you want to add custom attributes to.

Click Custom Attributes in the task pane.

Click Add.

In the Name field, specify the name of the custom attribute, such as Expiration date.

In the Value field, specify the value for the attribute, such as the date you want the entity to expire.

Repeat Step 4 through Step 6 for any other custom attributes you want to add.

Click Finish.

5.5.5 Functions

The udsh command invokes commands on a set of hosts. It concurrently issues a Command Control request for each host that is specified and returns the output from all the hosts, formatted so that command results from all hosts can be managed.

Specify the Command Control host groups to retrieve the list of agents to run the command on. Wildcards must be properly escaped. For example to run udsh against all host groups that begin with ho, enter the following:

-g ho\*

-l <user>

Specify the user to run the command as.

-q

Quiet. Do not display output.

-t <timeout>

Specify the timeout in seconds for the command to complete on each host.

-v

Verbose output.

-w <host>,<host wildcard>

Specify the agents to run the command on. Wildcards must be properly escaped. For example, to run udsh against all hosts that begin with host1, enter the following:

-w host1\*

If a command is not specified, the user is placed at a command prompt. Each entry run from this prompt is run separately on each host. If readline(3) is available, command line editing and history are provided.

Keywords

There are various macros that can be specified in the command to substitute keywords when the command is run on the remote host. For example, the following command uses the ${rhost}$ keyword. It performs a usrun echo command of the remote host name on all agents that have a command control agent deployed:

udsh -w \* /bin/echo '${rhost}$'

Table 5-2 udsh Keywords

Keyword

Description

${uid}$

Calling user’s UID

${gid}$

Calling user’s primary group ID

${gecos}$

Calling user’s gecos

${home}$

Calling user’s home directory

${shell}$

Calling user’s shell

${cwd}$

Calling user’s current working directory

${lhost}$

Local hostname

${rhost}$

Remote hostname

${pid}$

PID of the individual udsh call

${ppid}$

PID of the udsh

5.5.6 Adding a Category

You can use the appropriate Add Category option to group your account groups, user groups, host groups, commands, scripts, and access times into categories for ease of use and maintenance.

Click Command Control on the home page of the console.

Select the section to which you want to add a category. You can also add subcategories to existing categories.

Click the Add Category option in the task pane.

Specify a name for the category.

Click Finish.

5.5.7 Deleting a Category

Before deleting a category, you must delete or move the items and subcategories that it contains.

Click Command Control on the home page of the console.

Select the category you want to delete.

Click the Delete Category option in the task pane. The category is deleted.